Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Review Storage Accounts with Static Website Configuration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-017

Ensure that all the Microsoft Azure Storage accounts configured to host static websites are regularly reviewed for security and compliance purposes. Upon enabling this rule on your Cloud Conformity console, you must specify the storage account or the list of storage accounts that are expected to host static content (HTML, CSS, JavaScript and image files).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To host static websites using Microsoft Azure Storage service, you need to configure a storage account as web hosting container by adding the necessary configuration. By regularly reviewing the Azure Storage accounts configured to host static websites you make sure that only the desired storage containers are accessible from the primary website endpoint.


Audit

To identify all Azure Storage accounts that host static websites, for reviewing, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Review Storage Accounts with Static Website Configuration conformity rule settings and identify the storage account or the list of storage accounts that are allowed to host static websites.

02 Sign in to Azure Management Console.

03 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

04 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

05 Click on the name of the Azure Storage account that you want to examine.

06 In the navigation panel, under Settings, select Static website to access the static website configuration settings available for the selected storage account.

07 On the static website configuration page, check the Static website setting state. If the setting state is set to Enabled, the selected Microsoft Azure Storage account is configured to host static websites.

08 Compare the name of the storage account verified at the previous step with each account name identified at step no. 1. If the verified Azure Storage account is not allowed to host static websites, the selected account should be reviewed in order to decide whether or not to disable the website hosting feature.

09 Repeat steps no. 5 – 8 for each storage account available in the selected subscription.

10 Repeat steps no. 4 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity console, access Review Storage Accounts with Static Website Configuration conformity rule settings and identify the storage account or the list of storage accounts that are allowed to host static websites.

02 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the name of each storage account available in the current Azure subscription:

az storage account list
    --query '[*].name'

03 The command output should return the requested storage account identifiers/names:

[
  "abcd1234abcd1234abcd1234",
  "123412341234abcdabcdabcd"
]

04 Run storage blob service-properties show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to describe the static website hosting feature status set the selected storage account:

az storage blob service-properties show
    --account-name abcd1234abcd1234abcd1234
    --query 'staticWebsite.enabled'

05 The command output should return the requested configuration status (true for enabled, false for disabled):

true

If the boolean value returned by the storage blob service-properties show command output is true, the selected Microsoft Azure Storage account is configured to host static websites.

06 Compare the name of the storage account verified at the previous steps with each account name identified at step no. 1. If the verified Azure Storage account is not allowed to host static websites, the selected resource should be reviewed in order to decide whether or not to disable the website hosting feature.

07 Repeat steps no. 4 – 6 for each storage account available in the current Azure subscription.

08 Repeat steps no. 2 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

When the static website hosting feature is disabled at the storage account level, Microsoft Azure Storage service removes the website configuration from your storage account so that the web container that serves the static files is no longer accessible from the website endpoint. To disable this feature for all the reviewed storage accounts that are not allowed to host static websites, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to reconfigure.

05 In the navigation panel, under Settings, select Static website to access the static website configuration settings available for the selected storage account.

06 On the static website configuration page, click Disabled next to Static website to disable the static website hosting feature for the selected Microsoft Azure Storage account. Click Save to apply the changes. Once the feature is disabled, the static content available on the selected storage account web container is no longer accessible from the website endpoint.

07 Repeat steps no. 4 – 6 for each Azure Storage account available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage blob service-properties update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter to disable the static website hosting feature for the selected Microsoft Azure Storage account:

az storage blob service-properties update
    --account-name abcd1234abcd1234abcd1234
    --static-website false

02 The command output should return the command request metadata (including the static website hosting current configuration):

{
  "cors": [],
  "deleteRetentionPolicy": {
    "days": null,
    "enabled": false
  },
  "hourMetrics": {
    "enabled": true,
    "includeApis": true,
    "retentionPolicy": {
      "days": 7,
      "enabled": true
    },
    "version": "1.0"
  },
  "logging": {
    "delete": false,
    "read": false,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0",
    "write": false
  },
  "minuteMetrics": {
    "enabled": false,
    "includeApis": null,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0"
  },
  "staticWebsite": {
    "enabled": false,
    "errorDocument_404Path": null,
    "indexDocument": null
  }
}

03 Repeat step no. 1 and 2 for each storage account available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Dec 17, 2019